TrafficStealer malware abuses open container APIs in order to redirect traffic to specific websites and manipulate engagement with ads, Trend Micro researchers have found. Attackers scan the internet to identify websites with a high potential for generating ad revenues. They specifically target these high-value sites to generate fake clicks on the advertisements, resulting in high ad revenues for the threat actor.
TrafficStealer uses a combination of two techniques:
- Web crawling. This involves scanning the internet for websites that have a high potential for ad revenue, then driving traffic to these sites through the attacker’s network.
- Click simulation. Once the target websites have been identified, the software generates fake clicks on the ads displayed on those sites. This increases the perceived engagement with the ads, leading to higher ad revenue for the attackers.
The Trend Micro researchers observed abnormal behavior and traffic from one of their containerized honeypots (a controlled environment for examining different types of threats).
Impact
TrafficStealer uses a pre-built Docker container image with traffic monetization features. If the malware is unknowingly run on the targeted cloud resource — similar to the way crypto miners abuse a genuine CPU resource to mine cryptocurrency — it can take advantage of the victim’s network traffic and generate revenues for the attacker. The container image has been pulled more than 500,000 times from the Docker Hub, indicating the massive scale of this attack.
High traffic Linux host servers with containerized environments — especially misconfigured machines and/or containers — are particularly vulnerable.
DXC perspective
To thwart TrafficStealer and other malware we recommend a robust cyber defense program as well as the following specific practices:
- Employ zero-trust security on all container environments.
- Do not leave container APIs unsecured.
- Implement a container authorization policy. No container should be allowed to run without being scanned, signed and approved.
- Include and/or implement an antimalware scan policy for container images.
- Monitor for abnormal user behavior and web traffic.
- Install and regularly update antivirus software on all hosts and enable real-time detection.
Threat hunting tips
The TrafficStealer service requires its subscribers to create an account and generate a token to be used during monetization, along with a unique ID to run the service locally. However, the attackers used their own hardcoded token, diverting all the revenue to their own account. A potential attack routine is shown in Figure 1.
IOCs
SHA256
856963cece315dea93a685a9cc76cc2c75a8625694c03c3e15a2bc1a78766